Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MTS
Explorer

How to access remote site's LDPA server via VPN for Local site CheckPoint's identity awareness ?

Hello and thank you in advance.

 

We got trouble that we have CheckPoint are now managed by the same cloud.

 

Let says we got CheckPoint A and B now.

 

The AD (LDAP) server is located on A site now.

 

A and B sites just had a VPN community connection and we did confirm no communication error between sites.

 

At least, those Site B hosts can access the Site A LDAP for Domain authentication at the moment.

 

We set up the "identity awareness" on Site A Checkpoint and nothing outstanding, everything works well.

 

We then try to use the same configuration for the Site B Checkpoint to connect to the same AD over the VPN.

 

And it reported a connectivity issue and said the Site B Checkpoint NO connection to the remote site Server.

 

Why?

 

 

Topology.JPG

 

 

 

 

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Version/JHF level?
Do you have identity sharing enabled between the gateways?
How are identities acquired? (AQ Query, Identity Collector, or?)

0 Kudos
MTS
Explorer

Version/JHF level?

the latest


Do you have identity sharing enabled between the gateways?

Should be no.


How are identities acquired? (AQ Query, Identity Collector, or?)

Just want to find an AD user name from the log. 

 

Below the error message FYI.

Capture2.PNG

0 Kudos
PhoneBoy
Admin
Admin

This requires configuring Identity Awareness, which you are apparently trying to do.
For this to work, you must be running R80.20 and above and configure one of the gateways as an Active Directory proxy.

See: https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

0 Kudos
MTS
Explorer

The same AD and  Identity Awareness are just working for my 192.168.1.1 site.

For the 192.168.10.X checkpoint is not working... I have no idea how to let the 192.168.10.X checkpoint using the right route and source interface to access back the AD...

 

Based on the route debug and traceroute, I find it go outside the internet but not VPN to the AD... 

0 Kudos
PhoneBoy
Admin
Admin

Note that even though you did not explicitly configure it, the gateway is always included in the Encryption Domain.
However, you need to ensure the rules permit this traffic.
The traffic will probably come from the gateway's external IP, which is expected.

0 Kudos
MTS
Explorer

I even try to have a rule any source to any destination permit and still not works for me.

 

I also check the KB seems the 1500 series not supports having local connection to AD.

 

But seems using another Gateway Managed by the same SMS (We are Smart 1- Cloud) to share the AD is ok.

Might I know if you manipulate it also? Would like to knows the steps on how to configure it.

0 Kudos
PhoneBoy
Admin
Admin

You can't use an SMB gateway as an AD proxy.
That is an RFE.
If you have a non-SMB gateway that is managed by the same AD server that also has access, you configure it per the docs I linked above.

0 Kudos
MTS
Explorer

So, there is no way for 1570 to connect the AD via VPN / Proxy now?

 

0 Kudos
PhoneBoy
Admin
Admin

Correct, there is no way to do it with just SMB gateways.

0 Kudos
MTS
Explorer

Sorry, seems I missing one thing.

 

We are using 6000 formal Gaia OS gateway for  A site.

Only B site uses the 1570.

 

Any chance has AD connected for this case?

0 Kudos
PhoneBoy
Admin
Admin

The AD proxy is needed so Smart-1 Cloud can query your on-premise AD server.
Like I said previously, you need to configure Identity Sharing between the two gateways.
Please review the documentation I linked above.

Can your AD server accept LDAP requests on port 389?
If not, that also is a known limitation: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos